njrat | 56b813058735d5f0980dae75394cba6e78d2096f142aaf7811251dbac7657bb1

General

Target

Remcos Professional Cracked By Alcatraz3222-cleaned.exe
Size

17.9MB
MD5

946125ea1dcd4d87c44b603f608dd64c
SHA1

48635fd472da387b60a43d4b65813516f99c8c55
SHA256

56b813058735d5f0980dae75394cba6e78d2096f142aaf7811251dbac7657bb1
SHA512

b3f42641a68cd4e7c365a031f6c1997e3c4efcf0fbf6b616341062b23f58e90d6a08d93ac249de1b53151a8dfb728da5cbdfd8d18e96892410038385fb96c7e5
SSDEEP

393216:tHN4EgV1uaHYxhfJJZu9rOtEK0Vc+shB97mip52wrqi3nHoKzMWUOCF:tCEm54vJJZWWMgp5HuuzMWU

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

dllsys.duckdns.org:3202

Mutex

3b570ffeeb3d34249b9a5ce0ee58a328

Attributes

reg_key
3b570ffeeb3d34249b9a5ce0ee58a328
splitter
svchost

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1036 netsh.exe

pid	process
1036	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Remcos Professional Cracked By Alcatraz3222-cleaned.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Remcos Professional Cracked By Alcatraz3222-cleaned.exe

Executes dropped EXE 2 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222.exetaskhost.exe

pid process

4028 Remcos Professional Cracked By Alcatraz3222.exe
2828 taskhost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222.exe

pid process

4028 Remcos Professional Cracked By Alcatraz3222.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222-cleaned.exe

description pid process target process

PID 3212 set thread context of 2828 3212 Remcos Professional Cracked By Alcatraz3222-cleaned.exe taskhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4028	Remcos Professional Cracked By Alcatraz3222.exe
2828	taskhost.exe

pid	process
4028	Remcos Professional Cracked By Alcatraz3222.exe

description	pid	process	target process
PID 3212 set thread context of 2828	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222-cleaned.exeRemcos Professional Cracked By Alcatraz3222.exetaskhost.exe

pid	process
3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe
4028	Remcos Professional Cracked By Alcatraz3222.exe
4028	Remcos Professional Cracked By Alcatraz3222.exe
4028	Remcos Professional Cracked By Alcatraz3222.exe
4028	Remcos Professional Cracked By Alcatraz3222.exe
3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe
3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe
2828	taskhost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222-cleaned.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe
Token: SeDebugPrivilege	2828	taskhost.exe
Token: 33	2828	taskhost.exe
Token: SeIncBasePriorityPrivilege	2828	taskhost.exe
Token: 33	2828	taskhost.exe
Token: SeIncBasePriorityPrivilege	2828	taskhost.exe
Token: 33	2828	taskhost.exe
Token: SeIncBasePriorityPrivilege	2828	taskhost.exe
Token: 33	2828	taskhost.exe
Token: SeIncBasePriorityPrivilege	2828	taskhost.exe
Token: 33	2828	taskhost.exe
Token: SeIncBasePriorityPrivilege	2828	taskhost.exe
Token: 33	2828	taskhost.exe
Token: SeIncBasePriorityPrivilege	2828	taskhost.exe
Token: 33	2828	taskhost.exe
Token: SeIncBasePriorityPrivilege	2828	taskhost.exe
Token: 33	2828	taskhost.exe
Token: SeIncBasePriorityPrivilege	2828	taskhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222.exe

pid process

4028 Remcos Professional Cracked By Alcatraz3222.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222.exe

pid process

4028 Remcos Professional Cracked By Alcatraz3222.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222.exe

pid process

4028 Remcos Professional Cracked By Alcatraz3222.exe

pid	process
4028	Remcos Professional Cracked By Alcatraz3222.exe

pid	process
4028	Remcos Professional Cracked By Alcatraz3222.exe

pid	process
4028	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222-cleaned.execmd.exetaskhost.exe

description	pid	process	target process
PID 3212 wrote to memory of 4028	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	Remcos Professional Cracked By Alcatraz3222.exe
PID 3212 wrote to memory of 4028	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	Remcos Professional Cracked By Alcatraz3222.exe
PID 3212 wrote to memory of 4028	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	Remcos Professional Cracked By Alcatraz3222.exe
PID 3212 wrote to memory of 3780	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3212 wrote to memory of 3780	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3212 wrote to memory of 3780	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3212 wrote to memory of 1448	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3212 wrote to memory of 1448	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3212 wrote to memory of 1448	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 1448 wrote to memory of 4620	1448	cmd.exe	reg.exe
PID 1448 wrote to memory of 4620	1448	cmd.exe	reg.exe
PID 1448 wrote to memory of 4620	1448	cmd.exe	reg.exe
PID 3212 wrote to memory of 1376	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3212 wrote to memory of 1376	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3212 wrote to memory of 1376	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3212 wrote to memory of 2828	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3212 wrote to memory of 2828	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3212 wrote to memory of 2828	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3212 wrote to memory of 2828	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3212 wrote to memory of 2828	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3212 wrote to memory of 2828	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3212 wrote to memory of 2828	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3212 wrote to memory of 2828	3212	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 2828 wrote to memory of 1036	2828	taskhost.exe	netsh.exe
PID 2828 wrote to memory of 1036	2828	taskhost.exe	netsh.exe
PID 2828 wrote to memory of 1036	2828	taskhost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222-cleaned.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222-cleaned.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212

C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222-cleaned.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
2⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
3⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
2⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe
Filesize
17.9MB

MD5
946125ea1dcd4d87c44b603f608dd64c

SHA1
48635fd472da387b60a43d4b65813516f99c8c55

SHA256
56b813058735d5f0980dae75394cba6e78d2096f142aaf7811251dbac7657bb1

SHA512
b3f42641a68cd4e7c365a031f6c1997e3c4efcf0fbf6b616341062b23f58e90d6a08d93ac249de1b53151a8dfb728da5cbdfd8d18e96892410038385fb96c7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
Filesize
17.4MB

MD5
c3c21fa4c2186deb641455482ab0d3aa

SHA1
2f4b49e8383e073ccb965943ce970de403412567

SHA256
4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9

SHA512
31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
Filesize
17.4MB

MD5
c3c21fa4c2186deb641455482ab0d3aa

SHA1
2f4b49e8383e073ccb965943ce970de403412567

SHA256
4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9

SHA512
31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
Filesize
17.4MB

MD5
c3c21fa4c2186deb641455482ab0d3aa

SHA1
2f4b49e8383e073ccb965943ce970de403412567

SHA256
4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9

SHA512
31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos_Settings.ini
Filesize
32B

MD5
902927c48d191e30067d84a53158e2ba

SHA1
95dd6d3508790b98d1a576f0b2057bdcc2099247

SHA256
b408602c7d2107d819b18d47cbc196a307ab6435bbc819173f300e76573e616c

SHA512
328af5e697278b2c8150534162c330b11e9cc3024ee676cf9321a248701d99322cc1341694904d0ca5c6898e74e39419cd36765499d6992934075b08276c8eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
memory/2828-177-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/2828-176-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/2828-173-0x0000000005670000-0x000000000567A000-memory.dmp

Filesize
40KB

Download
memory/2828-172-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/2828-171-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/2828-169-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/2828-178-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/2828-164-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3212-133-0x0000000000950000-0x0000000001B32000-memory.dmp

Filesize
17.9MB

Download
memory/3212-170-0x0000000006470000-0x0000000006480000-memory.dmp

Filesize
64KB

Download
memory/3212-134-0x0000000006500000-0x000000000659C000-memory.dmp

Filesize
624KB

Download
memory/4028-151-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/4028-158-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/4028-154-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/4028-153-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/4028-152-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/4028-148-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4028-174-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/4028-149-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/4028-150-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/4028-146-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/4028-179-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/4028-147-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/4028-226-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads